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Kajekar et al - GAU 2453 (Chea) 
Reply to Office Action 

REMARKS 

The Examiner is thanked for the performance of a thorough search and for considering 
the references included in the Information Disclosure Statement filed on March 24, 2004. 

Claims 1, 4, 9-11, 16-18, 22, 24-26, 27-39, 41-48, 49-62, and 64-72 have been 
amended. Claims 14, 40, and 63 have been canceled. No claims have been added. Hence, 
Claims 1-13, 15-39, 41-62, and 64-72 are pending in the present application. 

The issues raised in the Office Action mailed December 14, 2009 are addressed 
hereinafter. 

I. ISSUES NOT RELATING TO PRIOR ART 

A. OBJECTIONS TO THE CLAIMS 

Claims 28-29 were objected to because an apparent typographical error listed these 
claims as depending from Claim 26 instead of Claim 27. Claims 28-29 have been amended 
herein to correct this typographical error by specifying that these claims depend from 
independent Claim 27. For this reason, reconsideration and withdrawal of the objection to 
Claims 28-29 is respectfully requested. 

B. REJECTIONS UNDER 35 U.S.C. § 101 

Claims 49-71 were rejected under 35 U.S.C. § 101 as allegedly directed to non-statutory 
subject matter. 

As suggested in the Office Action, each of Claims 49-7 1 has been amended herein to 
feature a "computer-readable storage medium . . .". For at least this reason, it is respectfully 
submitted that each of Claims 49-7 1 is directed to an article of manufacture, which is statutory 
subject matter. Reconsideration and withdrawal of the rejections of Claims 49-71 under 35 
U.S.C. § 101 is respectfully requested. 

II. ISSUES RELATING TO THE CITED ART 
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A. PRELIMINARY NOTES 

For all claims except Claims 25 and 26, the Office Action does not specify exactly what 
in the cited references corresponds to or constitutes each element or feature of the claims. In an 
Office Action "the particular part relied on must be designated as nearly as practicable . . . The 
pertinence of each reference, if not apparent, must be clearly explained . . ." (MPEP §707, citing 
37 C.F.R. § 1.104(c)(2)), and "the particular figure(s) of the drawings(s), and/or page(s) or 
paragraph(s) of the reference(s), and/or any relevant comments briefly stated should be 
included." (MPEP §707). The present citations to the references do not provide the Applicants 
with adequate notice or reasonable particularity with respect to the basis of the rejections 
because the features of all claims except Claims 25 and 26 are not even listed in the Office 
Action. As a result, the Applicants have had to engage in guesswork to determine the basis of 
the rejections of all claims except Claims 25 and 26. 

Since the Applicants could not find any structure or functions in the cited references 
that correspond to each and every feature recited in the claims, the Applicants respectfully 
request that the next Office Action specify exactly what in the cited references corresponds to 
each feature of each claim. The Applicants believe that providing such specifics in the next 
Office Action would greatly expedite the prosecution of the present application. 

Finally, it is noted that the Office Action rejected the present claims under 35 U.S.C. § 
103(a) in part over Cohen et al, U.S. Patent Application Publication No. US 2005/0193430 
("COHEN"). However, COHEN was filed on April 28, 2005, which is after the filing date of 
the present application. Thus, it appears that the Office Action relies on the filing date of 
COHEN's parent application as the effective date of COHEN against the claims of the present 
application. If indeed this is the case, the Applicants respectfully request that the next Office 
Action makes this explicit in the record. 
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B. INDEPENDENT CLAIM 1 

Claim 1 was rejected as allegedly unpatentable under 35 U.S.C. § 103(a) over Cohen et 
al, U.S. Patent Application Publication No. US 2005/0193430 ("COHEN") in view of Milliken 
et al, U.S. Patent No. 7,200,105 ("MILLIKEN"). The rejection is respectfully traversed. 

Among other features, Claim 1 comprises: 

representing a possible travel of a packet in a network based on topology data and 

on security policy data; 
wherein the step of representing comprises: 

checking an inbound access control list (ACL), included in the security policy 

data, of an interface of a network device comprising a network entry 

point for the packet; 
if the inbound ACL permits ingress of the packet, checking one or more 

outbound ACLs for each outbound interface of the network device 

to determine one or more possible outbound interfaces on which 

egress of the packet is permitted; 
for each of the one or more possible outbound interfaces on which the 

egress of the packet is permitted, repeating the checking steps with 

respect to each neighbor network device that is connected to each of 

the one or more possible outbound interfaces; 

The Office Action appears to assert that the above features of Claim are described in COHEN. 
This assertion is incorrect. 

COHEN describes a system that locates possible attack routes, detects flawed 
configurations of security measures (e.g., access control lists of firewalls or routers), identifies 
actual vulnerabilities, mitigates risks, conforms to accepted uses of existing security policies, 
and performs remedy analysis. (See COHEN, paragraph [001 1].) Significantly, however, 
COHEN does not describe any functionality that checks inbound Access Control Lists (ACLs) 
and outbound ACLs of network device interfaces for the purposes of determining the possible 
penetration of a packet in a network. 

For example, in paragraph [0037]-[0048], COHEN describes the performance of an 
attack simulation. Specifically, in paragraphs [0038]-[0045], COHEN describes that an attack 
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is simulated in part by evaluating constraints defined for all states of all services provided by 
network nodes, where a state of a service represents a result of an action performed on a 
network node. (See COHEN, paragraph [0032].) Significantly, however, the constraints 
evaluated in COHEN do not include ACLs associated with the interfaces of a network device. 
For example, in paragraph [0032] COHEN describes that a constraint may be associated with 
whether an attacker needs to gain knowledge of a management password or with whether a 
node has the ability to send HTTP packets to a web server. Further, in paragraph [0048] 
COHEN describes that a constraint may be associated with whether a node can receive HTTP 
packets, and in paragraph [0077] COHEN describes that a pre-condition for an attack may be 
whether a web server allows for buffer overflow. In the most telling example, paragraph 
[0075] of COHEN describes a result table listing detected vulnerabilities along with the policy 
violations and the pre-conditions that are necessary to effectuate the vulnerabilities; however, 
the policy violations and the pre-conditions listed in this table do not describe or even suggest 
that ACLs associated with interfaces of a network device are used in determining the listed 
vulnerabilities. 

In contrast, Claim 1 comprises the features of: representing a possible travel of a packet 
in a network based on topology data and on security policy data, where representing the 
possible travel of the packet comprises: checking an inbound ACL , included in the security 
policy data, of an interface of a network device comprising a network entry point for the 
packet; if the inbound ACL permits ingress of the packet, checking one or more outbound 
ACLs for each outbound interface of the network device to determine one or more possible 
outbound interfaces on which egress of the packet is permitted ; and for each of the one or more 
possible outbound interfaces on which the egress of the packet is permitted, repeating the 
checking steps with respect to each neighbor network device that is connected to each of the 
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one or more possible outbound interfaces. These features of Claim 1 indicate the 
functionalities of checking the inbound ACL of an network device interface that is the entry 
point of the packet in the network and, if the inbound ACL permits the ingress of the packet, 
checking one or more outbound ACLs of the outbound interfaces of the network device to 
determine the neighbor network devices to which the packet can travel. Claim 1 also specifies 
that these functionalities of Claim 1 are repeated for the inbound and outbound ACLs of the 
interfaces of each neighbor network device to which the packet can travel. Since COHEN does 
not describe any functionalities that use ACLs of network device interfaces to determine 
whether a packet can ingress and egress of a given network device, COHEN does not describe 
the above features of Claim 1 . 

Further, it is noted that the attack simulations described in COHEN are used to 
determine whether an attacker can obtain access to nodes in the network, and not for the 
purpose of determining whether a packet can travel to a given node. See, for example, COHEN, 
paragraph [0032] (using telnet to access a device); paragraph [0033] (opening an HTTP 
connection); paragraph [0047] (obtaining access to a node); paragraph [0078] (exploiting 
HTTP management console for brute force password attack); and paragraph [0079] 
(performing rlogin to an administration server). To the extent that COHEN describes use of 
ACLs, COHEN describes that ACLs are used to gather lists of IP addresses that represent 
possible starting points of an attack to the network. (See, for example, COHEN paragraphs 
[0035] and [0060].) In contrast, the above features of Claim 1 indicate functionalities of 
checking the inbound ACL of an network device interface that is the entry point of the packet 
in the network and, if the inbound ACL permits the ingress of the packet, checking one or more 
outbound ACLs of the outbound interfaces of the network device to determine the neighbor 
network devices to which the packet can travel. 
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Finally, it is noted that MILLIKEN does not cure the deficiencies of COHEN with 
respect to the above features of Claim 1 . The Office Action does not assert and the Applicants 
could not find that MILLIKEN describes the above features of Claim 1. In fact, MILLIKEN 
does not even mention the terms "access control list" or "ACL". 

For the foregoing reasons COHEN and MILLIKEN, whether taken alone or in 
combination, do not describe or suggest all features of Claim 1 . Thus, Claim 1 is patentable 
under 35 U.S.C. § 103(a) over COHEN in view of MILLIKEN. Reconsideration and 
withdrawal of the rejection of Claim 1 is respectfully requested. 

C. INDEPENDENT CLAIMS 22, 25-27, 49, AND 72 

Claims 22, 25-27, 49, and 72 were rejected as allegedly unpatentable under 35 U.S.C. § 
103(a) over COHEN in view of MILLIKEN. 

Claims 22, 25-27, 49, and 72 include features similar to the features of Claim 1 
discussed above. For this reason, it is respectfully submitted that Claims 22, 25-27, 49, and 72 
are patentable under 35 U.S.C. § 103(a) over COHEN in view of MILLIKEN for at least the 
reasons given above with respect to Claim 1. Reconsideration and withdrawal of the rejection 
of Claims 22, 25-27, 49, and 72 is respectfully requested. 

D. DEPENDENT CLAIMS 2-13, 15-21, 23-24, 28-39, 41-48, 50-62, AND 64-71 
Claims 2-13, 15-21, 23-24, 28-39, 41-48, 50-62, and 64-71 were rejected as allegedly 

unpatentable under 35 U.S.C. § 103(a) over COHEN in view of MILLIKEN. 

Each of Claims 2-13, 15-21, 23-24, 28-39, 41-48, 50-62, and 64-71 depends from one 
of independent Claims 1, 22, 27, and 49, and thus includes each and every feature of the 
independent base claim. Thus, each of Claims 2-13, 15-21, 23-24, 28-39, 41-48, 50-62, and 
64-71 is allowable for at least the reasons given above for Claims 1, 22, 27, and 49. In 
addition, each of Claims 2-13, 15-21, 23-24, 28-39, 41-48, 50-62, and 64-71 introduces one or 
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more additional features that independently render it patentable. However, due to the 
fundamental differences already identified, to expedite the positive resolution of this case a 
separate discussion of those features is not included at this time. Therefore, it is respectfully 
submitted that Claims 2-13, 15-21, 23-24, 28-39, 41-48, 50-62, and 64-71 are allowable for the 
reasons given above with respect to Claims 1, 22, 27, and 49. Reconsideration and withdrawal 
of the rejection of Claims 2-13, 15-21, 23-24, 28-39, 41-48, 50-62, and 64-71 is respectfully 
requested. 

in. CONCLUSION 

The Applicants believe that all issues raised in the Office Action have been addressed. 
Further, for the reasons set forth above, the Applicants respectfully submit that allowance of the 
pending claims is appropriate. Reconsideration of the present application is respectfully 
requested in light of the amendments and remarks herein. 

The Examiner is respectfully requested to contact the undersigned by telephone if it is 
believed that such contact would further the examination of the present application. 

A petition for extension of time, to the extent necessary to make this reply timely filed, 
is hereby made. If any applicable fee is missing or insufficient, throughout the pendency of this 
application, the Commissioner is hereby authorized to charge any applicable fees and to credit 
any overpayments to our Deposit Account No. 50-1302. 

Respectfully submitted, 

HICKMAN PALERMO TRUONG & BECKER LLP 

Dated: March 15, 2010 /StoychoDDraganoff#56 181/ 

Stoycho D. Draganoff 
Reg. No. 56,181 

2055 Gateway Place, Suite 550 
San lose, California 95110-1089 
Telephone No.: (408) 414-1080 ext. 208 
Facsimile No.: (408) 414-1076 
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